@Test public void requestWhenFrameOptionsConfiguredThenIncludesHeader() throws Exception { Map<String, String> headers = new HashMap(defaultHeaders); headers.put("X-Frame-Options", "SAMEORIGIN"); this.spring.configLocations(this.xml("WithFrameOptions")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(includes(headers)); }
@Test public void requestWhenContentSecurityPolicyDirectivesConfiguredThenIncludesDirectives() throws Exception { Map<String, String> includedHeaders = new HashMap<>(defaultHeaders); includedHeaders.put("Content-Security-Policy", "default-src 'self'"); this.spring.configLocations(this.xml("ContentSecurityPolicyWithPolicyDirectives")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(includes(includedHeaders)); }
@Test public void requestWhenContentSecurityPolicyConfiguredWithReportOnlyThenIncludesReportOnlyHeader() throws Exception { Map<String, String> includedHeaders = new HashMap<>(defaultHeaders); includedHeaders.put("Content-Security-Policy-Report-Only", "default-src https:; report-uri https://example.org/"); this.spring.configLocations(this.xml("ContentSecurityPolicyWithReportOnly")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(includes(includedHeaders)); }
@Test public void requestWhenUsingHstsThenRespondsWithHstsHeader() throws Exception { Set<String> excludedHeaders = new HashSet<>(defaultHeaders.keySet()); excludedHeaders.remove("Strict-Transport-Security"); this.spring.configLocations(this.xml("DefaultsDisabledWithHsts")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(header().string("Strict-Transport-Security", "max-age=31536000 ; includeSubDomains")) .andExpect(excludes(excludedHeaders)); }
@Test public void requestWhenContentTypeOptionsDisabledThenExcludesHeader() throws Exception { Collection<String> contentTypeOptions = Arrays.asList("X-Content-Type-Options"); Map<String, String> allButContentTypeOptions = remove(defaultHeaders, contentTypeOptions); this.spring.configLocations(this.xml("ContentTypeOptionsDisabled")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(includes(allButContentTypeOptions)) .andExpect(excludes(contentTypeOptions)); }
@Test public void requestWhenHstsDisabledThenExcludesHeader() throws Exception { Collection<String> hsts = Arrays.asList("Strict-Transport-Security"); Map<String, String> allButHsts = remove(defaultHeaders, hsts); this.spring.configLocations(this.xml("HstsDisabled")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(includes(allButHsts)) .andExpect(excludes(hsts)); }
@Test public void requestWhenXssProtectionDisabledThenExcludesHeader() throws Exception { Collection<String> xssProtection = Arrays.asList("X-XSS-Protection"); Map<String, String> allButXssProtection = remove(defaultHeaders, xssProtection); this.spring.configLocations(this.xml("XssProtectionDisabled")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(includes(allButXssProtection)) .andExpect(excludes(xssProtection)); }
@Test public void requestWhenCacheControlDisabledThenExcludesHeader() throws Exception { Collection<String> cacheControl = Arrays.asList("Cache-Control", "Expires", "Pragma"); Map<String, String> allButCacheControl = remove(defaultHeaders, cacheControl); this.spring.configLocations(this.xml("CacheControlDisabled")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(includes(allButCacheControl)) .andExpect(excludes(cacheControl)); }
@Test public void requestWhenFrameOptionsDisabledThenExcludesHeader() throws Exception { Collection<String> frameOptions = Arrays.asList("X-Frame-Options"); Map<String, String> allButFrameOptions = remove(defaultHeaders, frameOptions); this.spring.configLocations(this.xml("FrameOptionsDisabled")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(includes(allButFrameOptions)) .andExpect(excludes(frameOptions)); }
@Test public void requestWhenHpkpDisabledThenExcludesHeader() throws Exception { this.spring.configLocations(this.xml("HpkpDisabled")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(includesDefaults()); }
/** * gh-3986 */ @Test public void requestWhenDefaultsDisabledWithNoOverrideThenExcludesAllSecureHeaders() throws Exception { this.spring.configLocations(this.xml("DefaultsDisabledWithNoOverride")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(excludesDefaults()); }
@Test public void requestWhenHeadersEnabledThenResponseContainsAllSecureHeaders() throws Exception { this.spring.configLocations(this.xml("DefaultConfig")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(includesDefaults()); }
@Test public void requestWhenHeadersElementUsedThenResponseContainsAllSecureHeaders() throws Exception { this.spring.configLocations(this.xml("HeadersEnabled")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(includesDefaults()); }
@Test public void requestWhenUsingHpkpDefaultsThenIncludesHpkpHeaderUsingSha256() throws Exception { this.spring.configLocations(this.xml("DefaultsDisabledWithHpkpDefaults")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(header().string( "Public-Key-Pins-Report-Only", "max-age=5184000 ; pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"")) .andExpect(excludesDefaults()); }
@Test public void requestWhenUsingHpkpReportThenIncludesHpkpHeaderAccordingly() throws Exception { this.spring.configLocations(this.xml("DefaultsDisabledWithHpkpReport")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(header().string( "Public-Key-Pins", "max-age=5184000 ; pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"")) .andExpect(excludesDefaults()); }
@Test public void requestWhenUsingHpkpThenIncludesHpkpHeader() throws Exception { this.spring.configLocations(this.xml("DefaultsDisabledWithHpkp")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(header().string( "Public-Key-Pins-Report-Only", "max-age=5184000 ; pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"")) .andExpect(excludesDefaults()); }
@Test public void requestWhenUsingHpkpIncludeSubdomainsThenIncludesHpkpHeaderAccordingly() throws Exception { this.spring.configLocations(this.xml("DefaultsDisabledWithHpkpIncludeSubdomains")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(header().string( "Public-Key-Pins-Report-Only", "max-age=5184000 ; pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\" ; includeSubDomains")) .andExpect(excludesDefaults()); }
@Test public void requestWhenUsingHpkpCustomMaxAgeThenIncludesHpkpHeaderAccordingly() throws Exception { this.spring.configLocations(this.xml("DefaultsDisabledWithHpkpMaxAge")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(header().string( "Public-Key-Pins-Report-Only", "max-age=604800 ; pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\"")) .andExpect(excludesDefaults()); }
@Test public void requestWhenUsingHpkpReportUriThenIncludesHpkpHeaderAccordingly() throws Exception { this.spring.configLocations(this.xml("DefaultsDisabledWithHpkpReportUri")).autowire(); this.mvc.perform(get("/").secure(true)) .andExpect(status().isOk()) .andExpect(header().string( "Public-Key-Pins-Report-Only", "max-age=5184000 ; pin-sha256=\"d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=\" ; report-uri=\"http://example.net/pkp-report\"")) .andExpect(excludesDefaults()); }
@Test public void loadConfigWhenRequestSecureThenDefaultSecurityHeadersReturned() throws Exception { this.spring.register(HeadersArePopulatedByDefaultConfig.class).autowire(); this.mockMvc.perform(get("/").secure(true)) .andExpect(header().string("X-Content-Type-Options", "nosniff")) .andExpect(header().string("X-Frame-Options", "DENY")) .andExpect(header().string("Strict-Transport-Security", "max-age=31536000 ; includeSubDomains")) .andExpect(header().string("Cache-Control", "no-cache, no-store, max-age=0, must-revalidate")) .andExpect(header().string("Pragma", "no-cache")) .andExpect(header().string("Expires", "0")) .andExpect(header().string("X-XSS-Protection", "1; mode=block")); }